merge with branch issue-320

2026-02-04 21:59:10 +01:00 · 2013-02-04 15:53:46 +01:00
parent c22fc85b7a 5ca6931b72
commit 8979ff837a
3 changed files with 141 additions and 1 deletions
--- a/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/HttpUtil.java
@@ -35,6 +35,7 @@ package sonia.scm.util;

 //~--- non-JDK imports --------------------------------------------------------

+import com.google.common.base.CharMatcher;
 import com.google.common.base.Strings;

 import org.slf4j.Logger;
@@ -162,10 +163,17 @@ public final class HttpUtil

  /**
   * Pattern for url normalization
-   * @sincee 1.26
+   * @since 1.26
   */
  private static final Pattern PATTERN_URLNORMALIZE =
    Pattern.compile("(?:(http://[^:]+):80(/.+)?|(https://[^:]+):443(/.+)?)");
+  
+  /**
+   * CharMatcher to select cr/lf and '%' characters
+   * @since 1.28
+   */
+  private static final CharMatcher CRLF_CHARMATCHER =
+    CharMatcher.anyOf("\n\r%");

  //~--- constructors ---------------------------------------------------------

@@ -240,6 +248,30 @@ public final class HttpUtil
      SEPARATOR_PARAMETER_VALUE).append(value).toString();
  }

+  /**
+   * Throws an {@link IllegalArgumentException} if the parameter contains
+   * illegal characters which could imply a CRLF injection attack.
+   * <stronng>Note:</strong> the current implementation throws the
+   * {@link IllegalArgumentException} also if the parameter contains a "%". So
+   * you have to decode your parameters before the check,
+   *
+   * @param parameter value
+   *
+   * @since 1.28
+   */
+  public static void checkForCRLFInjection(String parameter)
+  {
+    if (CRLF_CHARMATCHER.matchesAnyOf(parameter))
+    {
+      logger.error(
+        "parameter \"{}\" contains a character which could be an indicator for a crlf injection",
+        parameter);
+
+      throw new IllegalArgumentException(
+        "parameter contains an illegal character");
+    }
+  }
+
  /**
   * Method description
   *
@@ -331,6 +363,22 @@ public final class HttpUtil
    return url;
  }

+  /**
+   * Remove all chars from the given parameter, which could be used for
+   * CRLF injection attack. <stronng>Note:</strong> the current implementation
+   * the "%" char is also removed from the source parameter.
+   *
+   * @param parameter value
+   *
+   * @return the parameter value without crlf chars
+   *
+   * @since 1.28
+   */
+  public static String removeCRLFInjectionChars(String parameter)
+  {
+    return CRLF_CHARMATCHER.removeFrom(parameter);
+  }
+
  /**
   * Method description
   *